Review of recent CVEs
Article ID: 267321
Updated On:
Products
Issue/Introduction
There 14 new CVEs for review.
| CVE | Broadcom Response | CVSS | Severity | Package | Package Version | Status | CVE Published | CVE Discovered | Image Created |
| CVE-2022-41723 | New | 7 | high | golang.org/x/net | v0.5.0 | fixed in 0.7.0 | 2/28/23 | 5/10/23 | 1/05/23 |
| CVE-2023-24536 | New | 7.5 | high | go | 1.19.4 | fixed in 1.20.3, 1.19.8 | 4/06/23 | 5/10/23 | 1/05/23 |
| CVE-2022-41724 | New | 7.5 | high | go | 1.19.4 | fixed in 1.19.6 | 2/28/23 | 5/10/23 | 1/05/23 |
| CVE-2022-41725 | New | 7.5 | high | go | 1.19.4 | fixed in 1.19.6 | 2/28/23 | 5/10/23 | 1/05/23 |
| CVE-2023-24538 | New | 9.8 | critical | go | 1.19.4 | fixed in 1.20.3, 1.19.8 | 4/06/23 | 5/10/23 | 1/05/23 |
| CVE-2023-24534 | New | 7.5 | high | go | 1.19.4 | fixed in 1.20.3, 1.19.8 | 4/06/23 | 5/10/23 | 1/05/23 |
| CVE-2023-24537 | New | 7.5 | high | go | 1.19.4 | fixed in 1.20.3, 1.19.8 | 4/06/23 | 5/10/23 | 1/05/23 |
| CVE-2023-20860 | New | 7.5 | high | spring-core | 5.3.5 | fixed in 6.0.7, 5.3.26 | 3/27/23 | 5/10/23 | 1/25/23 |
| CVE-2022-25647 | New | 7 | high | gson | 2.3.1 | fixed in 2.8.9 | 5/02/22 | 5/10/23 | 1/25/23 |
| PRISMA-2023-0067 | New | 7.5 | high | com.fasterxml.jackson.core_jackson-core | 2.11.1 | fixed in 2.15.0 | 4/24/23 | 5/10/23 | 1/25/23 |
| CVE-2021-46877 | New | 7 | high | com.fasterxml.jackson.core_jackson-databind | 2.13.0 | fixed in 2.13.1, 2.12.6 | 3/18/23 | 5/10/23 | 1/25/23 |
| CVE-2022-34169 | New | 7.5 | high | org.apache.xalan_xalan | 2.7.2 | fixed in 2.7.3 | 7/19/22 | 5/10/23 | 1/25/23 |
| CVE-2018-1000802 | New | 9.8 | critical | python | 2.7.5 | fixed in 2.7.16 | 9/18/18 | 5/10/23 | 1/25/23 |
| CVE-2016-9063 | New | 9.8 | critical | python | 2.7.5 | fixed in 3.6.2, 3.5.4, 3.4.7,... | 6/11/18 | 5/10/23 | 1/25/23 |
Environment
API Gateway 10.1
Resolution
Broadcom Response:
Regarding gateway-pm-tagger:1.0.1 image CVEs, pm-tagger has no exposed interfaces, it only calls outbound to the Kubernetes API. The image is also distro-less meaning no shell.
Please find the gateway-base image CVEs analysis below,
CVE-2023-20860
Gateway does not use the vulnerable functionality i.e. MVC request matching
CVE-2022-25647
As per the vulnerability fix provided here (https://github.com/google/gson/pull/1991/files), none of these classes are being used directly or indirectly in Gateway modules, so this CVE does not affect Gateway.
PRISMA-2023-0067 - This does not contain info to investigate, need a CVE
CVE-2021-46877
Gateway does not make use of the vulnerable class/functionality i.e. NodeSerialization
CVE-2022-34169
CVE description says, 'An integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode'. Gateway is not using the XSLTC compiler to compile the style sheets, so this CVE does not affect Gateway.
CVE-2018-1000802
Only Windows is vulnerable to this issue, Gateway does not get affected by this CVE.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1000802
CVE-2016-9063
CVE description says, An integer overflow during the parsing of XML using the Expat library. This vulnerability affects Firefox < 50.
The National Vulnerability Database (NVD) mapped CVE-2016-9063 to this component version, but the Black Duck Security Advisory (BDSA) team has determined it is not affected.
Feedback
